[Bug 179894] Re: passwd, pam_mount, and LUKS/dm_crypt need better integration

[Thomas Hotz]

** Changed in: cryptsetup (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/179894

Title:
  passwd, pam_mount, and LUKS/dm_crypt need better integration

Status in “cryptsetup” package in Ubuntu:
  Confirmed

Bug description:
  Wishlist item.  If separate LUKS/dm_crypt volumes are being used for
  each user's home directory they can be auto-mounted at login using
  pam_mount by supplying a key file encrypted by the login password via
  openssl that contains the LUKS/dm_crypt key and specifying it in
  pam_mount.conf.  But there is no mechanism for re-encrypting the key
  file when the user changes their password resulting in them being left
  in the empty home mount directory on their next login.  While auto-
  mounting an encrypted volume via a generally weak login password
  reduces it's effectiveness, this can be mitigated somewhat by storing
  the keys somewhere like /etc/keys/dm_crypt with 700 permissions and
  root ownership, increasing the default minimum password length to
  something >6 characters, and using an encrypted root volume.  This
  setup is important for easing security implementation on laptops.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/179894/+subscriptions